General
-
Target
JaffaCakes118_33e82123f4c295fa0a745a2e8a7494bf
-
Size
11.7MB
-
Sample
241231-ywd3cszjdj
-
MD5
33e82123f4c295fa0a745a2e8a7494bf
-
SHA1
98a77e79583752b4525e3db66c8c72ef1b3e6727
-
SHA256
3524db898f877769c05f7ddf2d8ce8aaeab657f72101c37cf1cb6e1dae27db60
-
SHA512
877296d2ea7720b52faec155e7cb850d0d59315bb7b274b6eb2e1c558bdb4d0eb9467110b58e0773ed248a19ee385c8fe18cf16bf3ed257f3260818592e70542
-
SSDEEP
6144:qpZQURQYSIyx87mtw370yh8hcihvqFAjUF:oZ6Iyx87R0ymGihiOjU
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
JaffaCakes118_33e82123f4c295fa0a745a2e8a7494bf
-
Size
11.7MB
-
MD5
33e82123f4c295fa0a745a2e8a7494bf
-
SHA1
98a77e79583752b4525e3db66c8c72ef1b3e6727
-
SHA256
3524db898f877769c05f7ddf2d8ce8aaeab657f72101c37cf1cb6e1dae27db60
-
SHA512
877296d2ea7720b52faec155e7cb850d0d59315bb7b274b6eb2e1c558bdb4d0eb9467110b58e0773ed248a19ee385c8fe18cf16bf3ed257f3260818592e70542
-
SSDEEP
6144:qpZQURQYSIyx87mtw370yh8hcihvqFAjUF:oZ6Iyx87R0ymGihiOjU
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2